[WARNING] Untangle v14 Beta has launched

[Sky-Knight]

At this time I recommend all Untangle admins disable automatic updates. The next version of Untangle brings with it some very nice new features, but it's also built on Debian 9. As this upgrade requires a manual selection of a new kernel after a reboot, that brings with it potential risk during upgrade.

I do not recommend anyone perform this upgrade without being ready to reinstall, plan accordingly. If you do so, Mr. Murphy will work for you instead of against you.

And if you're using my Nexgen Appliances, NG Series hardware, you'll need to take the additional step of removing any CF Card from your system, or at least disabling the SATA port for said card BEFORE the upgrade. Something about the new kernel hates seeing Clonezilla hanging around, servers end up in rolling reboots, it's not pretty.

 

[Slaters Kustum Machines]

At this time I recommend all Untangle admins disable automatic updates. The next version of Untangle brings with it some very nice new features, but it's also built on Debian 9. As this upgrade requires a manual selection of a new kernel after a reboot, that brings with it potential risk during upgrade.

I do not recommend anyone perform this upgrade without being ready to reinstall, plan accordingly. If you do so, Mr. Murphy will work for you instead of against you.

And if you're using my Nexgen Appliances, NG Series hardware, you'll need to take the additional step of removing any CF Card from your system, or at least disabling the SATA port for said card BEFORE the upgrade. Something about the new kernel hates seeing Clonezilla hanging around, servers end up in rolling reboots, it's not pretty.

Do you find that many people use the auto upgrade option? I always make sure that is disabled as it scares the crap out of me. I don't want updates taking down a network during the day from a firewall, Windows 10 is bad enough.

 

[YeOldeStonecat]

I've had auto update on for a long time...got too many out there (something around or close to 60) to deal with manually every other month. They've been reliably upgrading.

 

[Sky-Knight]

I generally recommend using automatic upgrade, the only time I tell people to change this behavior is during an upgrade that does a kernel swap. Most upgrades don't change the OS on the unit, and the ones that do are always a headache.

It's safest to install v14.0 and restore a v13.2.1 backup on it... automagic OS upgrades are just a pain!

That being said, Debian 8 to Debain 9 is REALLY minor, almost as minor as a Windows 10 feature update. So I'm really expecting this one to be rather smooth, as long as you don't have my recovery system in the way. The thing is, you can't select the new kernel unless you're at the console, and the upgrade isn't complete until you're on the new kernel.

Ok, well you CAN reconfigure grub via SSH, BUT that's still bonkers risky... What do you do if you push that button and the router doesn't come back?

 

[YeOldeStonecat]

Yeah I'm spending the next week or so disabling auto upgrades....and then we'll spend the next year going around a lot of 'em doing it 1 by 1. We have a lot in incredibly difficult places...super pain in the arse locations like satellite offices at courthouses, or...those located in rack/cabinets where it's a pain to get a KB/Monitor setup on it.

Rob, did you guys stop with the SD cards at some point recently? Say "all of the NG appliances I bought in 2017"...they clear, or ...might have 'em.

 

[nlinecomputers]

So this new version is a beta? Doesn't Untangle have a setting to block beta upgrades? If not why the f-ck not? Running beta on production is just stupid but hey what with Windows 10 updates that is becoming the new norm.

 

[YeOldeStonecat]

So this new version is a beta? Doesn't Untangle have a setting to block beta upgrades? If not why the f-ck not? Running beta on production is just stupid but hey what with Windows 10 updates that is becoming the new norm.

Of course they don't do that. The new 14 is out in BETA. Rob is being nice enough to warn those of us that have a lot of Untangle units out there, to disable auto update. This gives us plenty of time to do that...before v14 is done with the BETA stage and moves to an official release and put in the stable repositories.

 

[nlinecomputers]

You are not getting what I am saying. The only way to auto-update is to include betas? That is what it sounds like, which is a major pain. I have no problem auto-updating to GA versions but not Beta. The choice for beta should be independent of auto-updates. Or am I missing something?

 

[YeOldeStonecat]

Y.. Or am I missing something?

I think so.

They announced version 14 is in BETA...for those who love testing BETAs...to go play with it. It is not in the stable repositories.

Current version 13.x units out in production, by default, will check only the stable release repositories. They will not see this BETA 14 as available to them.

After some period of time, Untangle will move version 14 from BETA to Stable/General Release...at which point it will go to the stable repositories, and current 13.x units out in production will begin to see it as an available upgrade. When it gets changed from BETA to Stable...I don't know...a month, two months, three months....something like that. And it will take a while to get sprinkled out across all the units out there and become available as an upgrade. It could be August or September until all the units we have out there see it available.

Untangles update procedures are more complex than the above, but the overall concept is there.

 

[Sky-Knight]

Stonecat is correct, Untangle has a very rapid development cycle, two weeks for alpha, two more weeks for beta, and then onto release. Once the release is made, the following 60-90 days will be spent with boxes at random getting the update and performing it automatically. Now, this process may take longer, it depends on what issues appear during testing. But because it can happen so fast when I see a stable Alpha hit, I start trying to warn people because we've got 15-30 days from now to get rid of automatic upgrades and properly plan for all of this. Otherwise, you'll likely end up with the worst possible box, in the worst possible place, turning into a brick at the worst possible time.

And to answer your question Stonecat, we were shipping CF cards in all capable units up until last week. The only device you've bought from me that isn't a problem is that brand new 100D you picked up middle of last month. And that's only because that unit doesn't have a CF card slot, I never built a recovery system to use the SD Card slot on the front of that platform.

As I said before, SSH into a unit, and run fdisk -l, if you see two disks in the list that unit needs attention.

Finally, this upgrade gets Untangle on Debian 9, which brings with it all sorts of fun new hardware support. All in all, this is a great thing. SSD performance is off the chain compared to Debian 8, so I'm really looking forward to seeing what v14 can do in production. We shouldn't see another Debian base OS upgrade for another two years, and Untangle will likely wait another year out of caution. So we won't go through this particular nightmare again for 2-3 years. As we always do with Untangle, every 2-3 years we get an ugly upgrade. Here we go again! Once we're past it it's back to happy go lucky automagic upgrades.

P.S. This release finally has working EFI support, so that's nice too. Though I'm going to stick with MBR partitioning and BIOS emulation in my images for now.

 

[marley1]

Kind of a reason I stopped using Untangle was always worried about software updates and failure.

Now I Meraki stuff

 

[Sky-Knight]

Worried about software updates and failure... so you changed to a platform operated by a cloud control center you have to pay a subscription to access, and gets hacked into three times a week...

Yeah... that makes perfect sense!

Though depending on when you used Untangle, that's a perfectly fair assessment, v6 through v9 weren't known for safe upgrades. From v10 onward however, things have been pretty easy and brainless. But the kernel and OS updates... those are always going to be a thing, they'll always be a thing. You don't get new firmware automatically on routers for that reason.

 

[marley1]

I ran Untangle about 6-7 years ago on some hardware vendor that was well praised. Hardware was solid but literally all 5 had issues during some upgrade.

In the years following I always looked at it but the costs are much higher than a more known brand with better warranty.

Meraki comes with next business day warranty and they license is required with any UTM.

I'm long past that open source days.

Meraki + Ubiquiti (switches and ap)

Or all Ubiquiti

Very well performing equipment on my end.

What hacks are you talking about? I have never heard of that.

 

[YeOldeStonecat]

Kind of a reason I stopped using Untangle was always worried about software updates and failure.

Now I Meraki stuff

Happens with out of the box stuff too....I've been through a few firmware blowups on boxed firewalls, they're not immune.
Flexibility of a *nix firewall, the clients box can catch on fire and burn to a crisp, I don't have to deal with overseas support for some boxed firewall, I can grab any x86 computer, install Untangle in 15 minutes, restore the config..and client is up and running quickly. For years it's been much for flexible for us and our clients needs, at 1/3 or 1/2 the price.

 

[marley1]

Don't think the price thing is a win these days.

I remember Untangle costing$400-500/year

 

[Sky-Knight]

And today Untangle is $50 / year, for noncommercial applications, with no device limit.

The price buckets today are exactly the same as they were when I got started with the product on version 5, the only difference is today, it doesn't top out at 150 devices before it goes to the unlimited step, it tops out at 1000.

Shocking... costs go up with the number of protected devices...

Though based purely on price, it doesn't have the shine it used to. Total cost vs Sonicwall is heavily weighted in Sonicwall's favor. Right up until you account for the tech time required to administrate the thing and investigate any issues. Then Untangle owns them all simply because of the reports.

In my experience, an Untangle subscription pays for itself in pure tech time over a year. And that's long before any of the other actual listed benefits.

BUT, Untangle needs an actual server, not ARM junk. So while the software is in the same price ballpark as other products, the hardware platforms you require are orders of magnitude more expensive. But, see benefits of having a real reporting engine for the trade. Sonicwall and Meraki's logs are crap, I don't have the time or patience for that stuff anymore.

 

[marley1]

I see$540/year for complete package.

Meraki is $785/3 year for advanced security which would be comparable I believe

 

[Sky-Knight]

Untangle v14 has released.